You Shall (Maybe) Pass! Eric Mann 

Poster by DirectArtPrint - https://amzn.to/2ZYAMGq 

Authentication 

No content

No content

No content

No content

No content

No content

Password Strength 

(Full image slide with caption) Password Strength - xkcd - https://xkcd.com/936/ 

Information Entropy - https://www.itdojo.com/a-somewhat-brief-explanation-of-password-entropy/ 

Restrict passwords obtained from previously breached corpuses 

Have I Been Pwned - https://haveibeenpwned.com/ 

Have I Been Pwned Password API - https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/#cloudflareprivacyandkanonymity 

Brute Force Protection 

No content

No content

$cost]); $end = microtime(true); } while (($end - $start) < $timeTarget); echo "Appropriate Cost Found: " . $cost; 

$cost]); $end = microtime(true); } while (($end - $start) < $timeTarget); echo "Appropriate Cost Found: " . $cost; 

Secure Remote Passwords 

No content

PHP Example … in the July 2018 issue of php[architect]: https://www.phparch.com/magazine/2018-2/july/ 

$salt = random_bytes(SODIUM_CRYPTO_PWHASH_SALTBYTES); $seed = sodium_crypto_pwhash(/* ... */); $keypair = sodium_crypto_kx_seed_keypair($seed); $public_key = sodium_crypto_kx_publickey($keypair); // POST this data to the server to register $registration = [ 'identifier' => $email, 'salt' => sodium_bin2hex($salt), 'public_key' => sodium_bin2hex($public_key) ]; SRP - Client Registration 

$user = get_user_from_database($email); $keypair = sodium_crypto_kx_keypair(); $public_key = sodium_crypto_kx_publickey($keypair); $keys = sodium_crypto_kx_server_session_keys($keypair, $user->key); $client_secret = $keys[1]; $server_secret = $keys[0]; $message = random_bytes(32); $hash = sodium_crypto_generichash($message, $server_secret); $proof = sodium_bin2hex($message . $hash); SRP - Initialize Auth Challenge (Server) 

$keys = sodium_crypto_kx_server_session_keys($keypair, $server_key); $client_secret = $keys[0]; $server_secret = $keys[1]; $server_proof = sodium_hex2bin($server_proof); $message = substr($server_proof, 0, 32); $hash = substr($server_proof, 32); if (!hash_equals( sodium_crypto_generichash($message, $server_secret), $hash )) { exit; } SRP - Complete Auth Challenge (Client) 

$keys = sodium_crypto_kx_server_session_keys($keypair, $server_key); $client_secret = $keys[0]; $server_secret = $keys[1]; /* ... */ $message = random_bytes(32); $hash = sodium_crypto_generichash($message, $client_secret); $proof = sodium_bin2hex($message . $hash); SRP - Complete Auth Challenge (Client) 

$client_proof = sodium_hex2bin($proof); $message = substr($client_proof, 0, 32); $hash = substr($client_proof, 32); if (!hash_equals( sodium_crypto_generichash($message, $client_secret), $hash )) { exit; } // Store the user's email in a session for subsequent requests $_SESSION['identifier'] = $email; SRP - Complete Auth Challenge (Server) 

The node-sodium project is a JS port of Libsodium for use on Node-powered servers. 

The libsodium.js project uses transpiling to convert the raw C code directly to WebAssembly for use in the browser! 

In Review ... Something you are, know (, and have) Strong passwords are a must Strong hashing is a must If you can, avoid ever seeing or interacting with passwords 

Questions? 

Thank you [email protected] | 503.925.6266